[Logwatch-Devel] Re: [Logwatch-Announce] Logwatch 4.1 has been released

mark@winksmith.com mark@winksmith.com
Sat, 19 Oct 2002 19:56:39 -0400


On Sat, Oct 19, 2002 at 12:28:01PM -0700, James Wysynski wrote:
> 2) The only ICMP messages I've seen in my logs are of
> this format, which is presumably why it's not working
> with yours.  The ICMP messages are formatted the same
> as everything else is.
> 
> Oct 18 15:13:01 tilt kernel: ICMP drop IN=eth0 OUT=
> MAC=00:03:47:05:49:33:00:10:67:00:b2:50:08:00
> SRC=64.14.42.16 DST=67.115.101.130 LEN=64 TOS=0x00
> PREC=0x00 TTL=51 ID=28365 PROTO=ICMP TYPE=8 CODE=0
> ID=52994 SEQ=0 

type 8's ICMP_ECHO are pretty boring.

> I'm running RedHat 7.3.  Do you have a Linux kernel,
> or something else?

i've seen the [bracketted] messages come out for type 11
(ICMP_TIME_EXCEEDED), type 4 (ICMP_SOURCE_QUENCH) and i think
type 3 (ICMP_DEST_UNREACH).  i'm running 2.4.18.  it is a
7.2 rh system with update including the 2.4.18 kernel.

> 3) Right now I parse prefix, in, out, src, dst, proto.
>  For your case it looks like I need to add some logic
> which will catch prefix, in, out, proto, src, dst (and
> possibly the square brackets).  It's hard to tell
> without the full log message.

your wish is my command:

	Oct 13 11:35:05 internal kernel: FAILED INPUT: IN=eth0 OUT= MAC=00:a0:cc:d0:d9:8c:00:60:8c:39:ed:db:08:00 SRC=66.37.218.174 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=5926 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.1.2 DST=66.37.215.45 LEN=67 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=47 ] 
	Oct 13 12:52:18 internal kernel: FAILED INPUT: IN=eth0 OUT= MAC=00:a0:cc:d0:d9:8c:00:40:96:33:53:6b:08:00 SRC=192.168.1.253 DST=192.168.1.2 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=47777 PROTO=ICMP TYPE=11 CODE=1 [SRC=192.168.1.2 DST=192.168.1.253 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=18362 MF PROTO=UDP SPT=2049 DPT=800 LEN=8328 ] 

-- 
Mark Smith
mark at winksmith dot com
mark at tux dot org